Archive

If ever the term ‘secret services’ frightened you, stop worrying. Or maybe start worrying. Either way, BUGGER by Adam Curtis will give you a good laugh. It lays bare the fallacy that the spies we employ through our taxes and who spend more time spying on us than anyone else, know what they’re doing. Or are competent enough to do what they think they are doing.

It’s a series of stories about MI5, “and the very strange people who worked there. They are often funny, sometimes rather sad – but always very odd.”

It all started more than 100 years ago when a Franco/Brit called Le Queux wrote a fiction about a German invasion. I’m guessing it didn’t sell too well, because he took it to the Daily Mail. Lord Northcliffe ran the story as “‘The Invasion of 1910′ and it described how the Germans landed in East Anglia and marched on London.”

Thousands of Daily Mail readers wrote in, saying they had seen suspicious people – obviously German spies. Instantly, well rapidly, Britain’s spy service of one man and two assistants morphed into MI5, “created in large part by the dreams of a socially excluded novelist, and the paranoid imaginings of the readers of the Daily Mail.”

In other words, MI5 was born on the back of a lie (probably standing on the backs of four elephants on a turtle – pure comic fantasy). But it has carried on lying ever since. One such lie is the apprehension of a huge German spy ring in 1914. Historian Nicholas Hiley says,

One of the most famous successes of the British Security Service was its great spy round-up of August 1914. The event is still celebrated by MI5, but a careful study of the recently-opened records show it to be a complete fabrication – MI5 created and perpetuated this remarkable lie.

The great spy round-up of August 1914 never took place – as it was a complete fabrication designed to protect MO5(G) from the interference of politicians or bureaucrats.

The claim made next day that all but one had been arrested was false, and its constant repetition by Kell and Holt-Wilson [director and deputy director) was a lie.

And MI5 hasn’t stopped lying. Perhaps the biggest continuing lie is that it catches spies. “The terrible truth,” writes Curtis, “truth that began to dawn in the 1980s was that MI5 – whose job it was to catch spies that threatened Britain – had never by its own devices caught a spy in its entire history.”

There was one spy called Geoffrey Prime. He actually worked for GCHQ and sold secrets to the Russians. And he was caught – not by MI5 or GCHQ, but by the Cheltenham police.

And so it goes on. WMD in Iraq anyone? The whole war on terror, perhaps? It’s certainly true that after the end of the Cold War with Russia, MI5 should have contracted. It didn’t though, because along came the war on terror that forced it, for the sake of national security, to expand and expand and expand.

So why do we need to worry about such ineptitude? It is simply this: MI5 and GCHQ are spying on all of us, and are pressuring the government to give them even greater surveillance powers. The phrase that it and the government always throw out is, “if you haven’t done anything wrong you have nothing to worry about.”

Really? With this lot? It seems to me, on the basis of Adam Curtis’ potted history, if you haven’t done anything wrong you’ve got everything to worry about. It’s only by being a genuine threat that you will avoid the myopic gaze of the British intelligence services.

Share this:

Lisa Vaas states that “US customs can and will seize laptops and cellphones, [and] demand passwords”. Her article should be required reading for anyone crossing US borders. She cites an article in Sunday’s Boston Globe which describes the seizure of researcher David House’s laptop, with the authorities apparently looking for House’s connections with Bradley Manning.

Lisa makes it very clear that the American Constitution counts for nothing at the borders, and that the authorities are free to seize and search pretty much at will.

There is no mention on whether House’s computer was encrypted. But at the beginning of this year (too late for this incident) the Electronic Frontier Foundation (EFF) urged a single new year resolution: full disk encryption as a matter of course for all computers.

In one instance, ICE held onto David House’s laptop, thumb drive, and digital camera for 49 days. An acquaintance of accused WikiLeaks whistleblower Bradley Manning, Mr. House was returning from Mexico when agents confiscated his electronic equipment. While the Justice Department conceded that it held onto his laptop for longer than thirty days, it explained that “[t]he lack of password access required ICE computer experts to spend additional time on Mr. House’s laptop.” Kevin Poulsen, Feds Defend Seizure of Wikileaks Supporter’s Laptop, Wired Threat Level ( July 28, 2011).

Needless to say, the Wired article gives further details. My assumption is that the US authorities got past House’s access password, but not any encryption on the system.

Either way, the moral of this story is that if you value the privacy of your data and even think about visiting the United States, either don’t, or make sure you use the strongest whole disk encryption you can get.

Share this:

As if we didn’t already know it, where security is concerned, the user is the flaw. Guido has published the perfect example:

Everyone has to carry around not only their government communications network issued Blackberry phone, but a Blackberry Smart Card Reader too, with another SIM card in it. If the two are separated by more than ten metres or so the Blackberry stops working. So if a pickpocket stole the Blackberry, it would stop working. Carrying two units is a little cumbersome and inconvenient. Unfortunately from a security point of view, the wonks and spinners have taken to just sello-taping the two of them back to back…Downing Street’s iSpAd Blackberry Security Flaw

It describes another typically secretive attempt to persuade government to instigate internet blocking on behalf of rightsholders. The irony? Up pops a little message from T-Mobile: “The website you are trying to access is blocked by Content Lock as it contains content that is unsuitable for under 18s.”

T-Mobile's Content Lock censorship tool

Me? Under 18?

I didn’t ask for this. I certainly didn’t pay for it. I am not under 18. And I don’t use credit cards. So, basically, I’m stuffed by T-Mobile – who, once this subscription runs out, I shall never use again.

But it does show the danger of these ‘voluntary’ blocking schemes, by whomever, for whatever: they will be used for censorship, and there will be nothing we can do about them. So we simply mustn’t allow them.

Share this:

Empiricism. It is the acceptance of proof based on experience. Empiricism suggests that we should doubt politicians. Empiricism shows that they use fine words followed by foul deeds.

Neelie Kroes, Vice President of the European Commission

Security is a perfect example. Where security is concerned, the art of politics is to persuade us that what we really want is whatever they give us. Consider Neelie Kroes, Vice President of the European Commission. On Tuesday she met with “a dozen high-flying young Europeans” and subsequently wrote

…we talked about issues of privacy and cyber-security—and how the law should find the right balance. There are clearly risks online—as there are out there in the real world. But if we over-regulate in response to that then we risk losing what is most precious about the internet—its openness and freedom. And so, for me, the best way to tackle security and privacy issues is to inform and empower digital citizens so they are aware of and can deal with those risks, just like they would in the off-line world.

The implication is that the EC is well aware that too much security means too little freedom; and because of that, the EC will strike the right balance. But the right balance is what they tell us it is. And empiricism shows that all governments use security to increase control regardless of civil liberties. ACTA, the Digital Economy Act, net neutrality, HADOPI, RIPA all come to mind. Where is the right balance in any of these?

So let’s not praise fine words until they are backed by fine deeds. And let’s not hold our breaths.

Share this:

Amit Klein, CTO at Trusteer, has an interesting blog on the incidence of successful phishing:

We recently conducted research into the attack potency and time-to-infection of email phishing attacks. One of our findings was eye-popping, namely, that 50 per cent of phishing victims’ credentials are harvested by cyber criminals within the first 60 minutes of phishing emails being received. Given that a typical phishing campaign takes at least one hour to be identified by IT security vendors, which doesn’t include the time required to take down the phishing Web site, we have dubbed the first 60 minutes of a phishing site’s existence [as] the critical ‘golden hour’.

Trusteer phishing graph

Trusteer’s solution is for the security industry to recognise and react to phishing campaigns with greater speed:

As an industry, our goal should be to reduce the time it takes for institutions to detect they are being targeted by a phishing attack from hours to within minutes of the first customer attempting to access a rogue phishing page. We also need to establish really quick feeds into browsers and other security tools, so that phishing filters can be updated much more quickly than they are today. This is the only way to swiftly takedown phishing websites, protect customers, and eliminate the golden hour. Blog entry

But as users, we cannot simply rely on the industry to protect us. That is a dereliction of responsibility when we need to accept more, not less, personal responsibility for our behaviour online. Amit Klein is right – the industry needs to be as effective as possible. But just as the industry needs to block phishers, we as users need to ignore phishers.

There are two primary actions we can take. The first is increased security awareness; and that means continuous staff training. The second is to make it more difficult to be phished, by preventing the automatic running of scripts by our browsers. For example, Firefox users can install the NoScript add-on (see here for an interview with its developer, Giorgio Maone). Non-Firefox users should become Firefox users.

His company, an erstwhile hero of mine, Apple, has applied for a patent for which EFF has had to invent a new word: traitorware.

In other words, Apple will know who you are, where you are, and what you are doing and saying and even how fast your heart is beating. In some embodiments of Apple’s “invention,” this information “can be gathered every time the electronic device is turned on, unlocked, or used.” When an “unauthorized use” is detected, Apple can contact a “responsible party.” A “responsible party” may be the device’s owner, it may also be “proper authorities or the police.”

Apple does not explain what it will do with all of this collected information on its users, how long it will maintain this information, how it will use this information, or if it will share this information with other third parties. We know based on long experience that if Apple collects this information, law enforcement will come for it, and may even order Apple to turn it on for reasons other than simply returning a lost phone to its owner.

No matter. Nietzsche has an answer to the fallacy of God. We must stop believing in Apple. Then we will have killed Apple. I think it is time to fall out of love with Apple, and to return to the secularism of open systems.